windows 7 無法打開ASA SSL ××× 和ASDM首頁

 IT從業人員經常通過win7系統來管理CISCO ASA （ASDM、SSL ×××）

問題描述
配置沒有問題，winxp訪問一切正常，win7訪問就這樣

 我們可以開LOGGING，來看下原因
szhskj(config)#logging buffered debugging 開啓debug級別的log記錄
szhskj(config)#logging buffer-size 1048576 把log的buffer調大，要不寄存器會被沖刷
szhskj(config)#logging on

這個時候我們重新用win7的ie訪問ASA首頁，然後在ASA敲show logging
%ASA-7-609002: Teardown local-host outside:10.1.1.1 duration 0:01:05
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:01:05
%ASA-6-725007: SSL session with client outside:10.1.1.1/1084 terminated.
%ASA-7-609001: Built local-host outside:10.1.1.2
%ASA-7-609001: Built local-host identity:10.1.1.10
%ASA-6-302013: Built inbound TCP connection 14 for outside:10.1.1.2/49177 (10.1.1.2/49177) to identity:10.1.1.10/443 (10.1.1.10/443)
%ASA-6-725001: Starting SSL handshake with client outside:10.1.1.2/49177 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client outside:10.1.1.2/49177 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 14 for outside:10.1.1.2/49177 to identity:10.1.1.10/443 duration 0:00:00 bytes 7 TCP Reset by appliance
%ASA-7-609002: Teardown local-host outside:10.1.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host identity:10.1.1.10 duration 0:00:00

標紅部分顯示雙方的sll加密方法不匹配

可以查看當前ASA支持什麼加密算法

 

szhskj(config)#show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
看到了吧，ASA只開啓了des-sha1算法，不多說，接下來開啓其他算法
szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1
如果當你敲完上面的命令 ^ 這個破玩意兒出來了，恭喜你，看看ASA的license吧
cisco(config)#show version
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
×××-DES : Enabled perpetual
×××-3DES-AES : Disabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other ××× Peers : 5000 perpetual
Total ××× Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco ××× Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
沒有3des的license，咋辦？點下面的連接申請個3des的license，免費的
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

通過show Version來查看ASA的序列號（SN）號。

 

把序列號填進去，思科就給你郵箱發郵件了，如下圖郵件內容：

把郵件裏的key在ASA上激活
ciscoasa(config)# activation-key  0f37f47e 44f47d72 94726194 b3e0308c 4835338f

激活之後,再來配置ASA加密算法

szhskj(config)# ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5 rc4-sha1

好了，現在再去試試吧。